Bug 1900483 - Update central with the latest beta/release 127 changes for OSAuth. r=issammani,Gijs,firefox-desktop-core-reviewers

*** Bug 1898323 - follow-up: fix tests now that beta/release default to not enabling CC/pwd autofill os reauth *** Bug 1898323 - fix about:logins and formautofill tests better given the disabling of OS reauth on beta/release *** Bug 1898323 - Fix OsAuth migration for beta and have it disabled by default on Beta and Release. r=ssachdev!,issammani! *** Bug 1899368 - Disable OS Auth for new users in Beta and Release. r=issammani!,gijs! *** Aligned anti_clickjacking with beta Differential Revision: https://phabricator.services.mozilla.com/D212577
2024-06-05 08:14:28 +00:00 · 2024-06-05 08:14:28 +00:00 · 2f9b97b28f
commit 2f9b97b28f
parent 1db9383d87
13 changed files with 274 additions and 87 deletions
--- a/browser/components/BrowserGlue.sys.mjs
+++ b/browser/components/BrowserGlue.sys.mjs
@ -1479,6 +1479,17 @@ BrowserGlue.prototype = {
      lazy.PdfJs.checkIsDefault(this._isNewProfile);
    }

+    if (!AppConstants.NIGHTLY_BUILD && this._isNewProfile) {
+      lazy.FormAutofillUtils.setOSAuthEnabled(
+        lazy.FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF,
+        false
+      );
+      lazy.LoginHelper.setOSAuthEnabled(
+        lazy.LoginHelper.OS_AUTH_FOR_PASSWORDS_PREF,
+        false
+      );
+    }
+
    listeners.init();

    lazy.SessionStore.init();
@ -4473,40 +4484,49 @@ BrowserGlue.prototype = {
      }
    }

-    // < 147 because 146 migration had a typo issue (was supposed to be 'creditCards' instead of 'creditcards'). This fixes that.
-    // 'creditCards' is now in AUTOFILL_CREDITCARDS_REAUTH_PREF.
+    // Version 146 had a typo issue and thus it has been replaced by 147.
+
    if (currentUIVersion < 147) {
      // We're securing the boolean prefs for OS Authentication.
      // This is achieved by converting them into a string pref and encrypting the values
      // stored inside it.

      if (!AppConstants.NIGHTLY_BUILD) {
-        const savedmstone = Services.prefs.getCharPref(
-          "browser.startup.homepage_override.mstone",
-          ""
-        );
+        const hasRunBetaMigration = Services.prefs
+          .getCharPref("browser.startup.homepage_override.mstone", "")
+          .startsWith("127.0");

-        if (savedmstone.startsWith("127.0b")) {
-          // If the saved milestone starts with "127.0b",  we know that the migration is happened.
-          // Hence, get value from typo pref and store it in the correct pref.
-          const ccPrevReauthPrefValue = lazy.FormAutofillUtils.getOSAuthEnabled(
+        // Version 146 UI migration wrote to a wrong `creditcards` pref when
+        // the feature was disabled, instead it should have used `creditCards`.
+        // The correct pref name is in AUTOFILL_CREDITCARDS_REAUTH_PREF.
+        // Note that we only wrote prefs if the feature was disabled.
+        let ccTypoDisabled = !lazy.FormAutofillUtils.getOSAuthEnabled(
          "extensions.formautofill.creditcards.reauth.optout"
        );
+        let ccCorrectPrefDisabled = !lazy.FormAutofillUtils.getOSAuthEnabled(
+          lazy.FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF
+        );
+        let ccPrevReauthPrefValue = Services.prefs.getBoolPref(
+          "extensions.formautofill.reauth.enabled",
+          false
+        );
+
+        let userHadEnabledCreditCardReauth =
+          // If we've run beta migration, and neither typo nor correct pref
+          // indicate disablement, the user enabled the pref:
+          (hasRunBetaMigration && !ccTypoDisabled && !ccCorrectPrefDisabled) ||
+          // Or if we never ran beta migration and the bool pref is set:
+          ccPrevReauthPrefValue;
+
        lazy.FormAutofillUtils.setOSAuthEnabled(
          lazy.FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF,
-            ccPrevReauthPrefValue
-          );
-        } else {
-          // In other case, migrations has not happened, get values from the old prefs and store in the new correct prefs.
-          const ccPrevReauthPrefValue = Services.prefs.getBoolPref(
-            "extensions.formautofill.reauth.enabled"
+          userHadEnabledCreditCardReauth
        );
+
+        if (!hasRunBetaMigration) {
          const passwordsPrevReauthPrefValue = Services.prefs.getBoolPref(
-            "signon.management.page.os-auth.enabled"
-          );
-          lazy.FormAutofillUtils.setOSAuthEnabled(
-            lazy.FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF,
-            ccPrevReauthPrefValue
+            "signon.management.page.os-auth.enabled",
+            false
          );
          lazy.LoginHelper.setOSAuthEnabled(
            lazy.LoginHelper.OS_AUTH_FOR_PASSWORDS_PREF,
--- a/browser/components/aboutlogins/tests/browser/browser_osAuthDialog.js
+++ b/browser/components/aboutlogins/tests/browser/browser_osAuthDialog.js
@ -15,6 +15,8 @@ const SELECTORS = {
 add_setup(async function () {
  TEST_LOGIN1 = await addLogin(TEST_LOGIN1);
  TEST_LOGIN2 = await addLogin(TEST_LOGIN2);
+  // Undo mocking from head.js
+  sinon.restore();
 });

 add_task(async function test_os_auth_enabled_with_checkbox() {
@ -24,16 +26,20 @@ add_task(async function test_os_auth_enabled_with_checkbox() {
    async function (browser) {
      await finalPrefPaneLoaded;

-      await SpecialPowers.spawn(browser, [SELECTORS], async selectors => {
+      await SpecialPowers.spawn(
+        browser,
+        [SELECTORS, AppConstants.NIGHTLY_BUILD],
+        async (selectors, isNightly) => {
          is(
            content.document.querySelector(selectors.reauthCheckbox).checked,
-          true,
+            isNightly,
            "OSReauth for Passwords should be checked"
          );
-      });
+        }
+      );
      is(
        LoginHelper.getOSAuthEnabled(PASSWORDS_OS_REAUTH_PREF),
-        true,
+        AppConstants.NIGHTLY_BUILD,
        "OSAuth should be enabled."
      );
    }
--- a/browser/components/aboutlogins/tests/browser/browser_removeAllDialog.js
+++ b/browser/components/aboutlogins/tests/browser/browser_removeAllDialog.js
@ -78,6 +78,10 @@ async function waitForRemoveAllLogins() {
 }

 add_setup(async function () {
+  // Undo mocking from head.js
+  sinon.restore();
+
+  let oldPrefValue = LoginHelper.getOSAuthEnabled(PASSWORDS_OS_REAUTH_PREF);
  LoginHelper.setOSAuthEnabled(PASSWORDS_OS_REAUTH_PREF, false);
  await BrowserTestUtils.openNewForegroundTab({
    gBrowser,
@ -86,7 +90,7 @@ add_setup(async function () {
  registerCleanupFunction(async () => {
    BrowserTestUtils.removeTab(gBrowser.selectedTab);
    Services.logins.removeAllUserFacingLogins();
-    LoginHelper.setOSAuthEnabled(PASSWORDS_OS_REAUTH_PREF, true);
+    LoginHelper.setOSAuthEnabled(PASSWORDS_OS_REAUTH_PREF, oldPrefValue);
  });
  TEST_LOGIN1 = await addLogin(TEST_LOGIN1);
 });
--- a/browser/components/aboutlogins/tests/browser/head.js
+++ b/browser/components/aboutlogins/tests/browser/head.js
@ -18,6 +18,19 @@ const { OSKeyStore } = ChromeUtils.importESModule(
  "resource://gre/modules/OSKeyStore.sys.mjs"
 );

+let { sinon } = ChromeUtils.importESModule(
+  "resource://testing-common/Sinon.sys.mjs"
+);
+
+// Always pretend OS Auth is enabled in this dir.
+if (OSKeyStoreTestUtils.canTestOSKeyStoreLogin() && OSKeyStore.canReauth()) {
+  // Enable OS reauth so we can test it.
+  sinon.stub(LoginHelper, "getOSAuthEnabled").returns(true);
+  registerCleanupFunction(() => {
+    sinon.restore();
+  });
+}
+
 var { LoginTestUtils } = ChromeUtils.importESModule(
  "resource://testing-common/LoginTestUtils.sys.mjs"
 );
--- a/browser/components/enterprisepolicies/tests/browser/browser_policy_masterpassword.js
+++ b/browser/components/enterprisepolicies/tests/browser/browser_policy_masterpassword.js
@ -7,6 +7,25 @@ let { LoginTestUtils } = ChromeUtils.importESModule(
  "resource://testing-common/LoginTestUtils.sys.mjs"
 );

+let { sinon } = ChromeUtils.importESModule(
+  "resource://testing-common/Sinon.sys.mjs"
+);
+
+let { FormAutofillUtils } = ChromeUtils.importESModule(
+  "resource://gre/modules/shared/FormAutofillUtils.sys.mjs"
+);
+
+add_setup(async function () {
+  // Stub these out so we don't end up invoking the MP dialog
+  // in order to decrypt prefs to find out if these are enabled or disabled.
+  sinon.stub(FormAutofillUtils, "getOSAuthEnabled").returns(false);
+  sinon.stub(LoginHelper, "getOSAuthEnabled").returns(false);
+
+  registerCleanupFunction(async function () {
+    sinon.restore();
+  });
+});
+
 // Test that once a password is set, you can't unset it
 add_task(async function test_policy_masterpassword_set() {
  await setupPolicyEngineWithJson({
--- a/browser/components/tests/browser/browser.toml
+++ b/browser/components/tests/browser/browser.toml
@ -4,6 +4,9 @@ support-files = [
  "../../../../dom/security/test/csp/dummy.pdf",
 ]

+["browser_browserGlue_os_auth.js"]
+skip-if = ["os == 'linux'"]
+
 ["browser_browserGlue_showModal_trigger.js"]

 ["browser_browserGlue_telemetry.js"]
--- a/browser/components/tests/browser/browser_browserGlue_os_auth.js
+++ b/browser/components/tests/browser/browser_browserGlue_os_auth.js
@ -0,0 +1,25 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+"use strict";
+
+const { FormAutofillUtils } = ChromeUtils.importESModule(
+  "resource://gre/modules/shared/FormAutofillUtils.sys.mjs"
+);
+
+// Check whether os auth is disabled by default on a new profile in Beta and Release.
+add_task(async function test_creditCards_os_auth_disabled_for_new_profile() {
+  Assert.equal(
+    FormAutofillUtils.getOSAuthEnabled(
+      FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF
+    ),
+    AppConstants.NIGHTLY_BUILD,
+    "OS Auth should be disabled for credit cards by default for a new profile."
+  );
+
+  Assert.equal(
+    LoginHelper.getOSAuthEnabled(LoginHelper.OS_AUTH_FOR_PASSWORDS_PREF),
+    AppConstants.NIGHTLY_BUILD,
+    "OS Auth should be disabled for passwords by default for a new profile."
+  );
+});
--- a/browser/components/tests/unit/test_browserGlue_migration_osauth.js
+++ b/browser/components/tests/unit/test_browserGlue_migration_osauth.js
@ -24,8 +24,7 @@ const CC_NEW_PREF = FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF;
 const PASSWORDS_OLD_PREF = "signon.management.page.os-auth.enabled";
 const PASSWORDS_NEW_PREF = LoginHelper.OS_AUTH_FOR_PASSWORDS_PREF;

-add_task(async function setup() {
-  registerCleanupFunction(() => {
+function clearPrefs() {
  Services.prefs.clearUserPref("browser.migration.version");
  Services.prefs.clearUserPref(CC_OLD_PREF);
  Services.prefs.clearUserPref(CC_TYPO_PREF);
@ -33,19 +32,27 @@ add_task(async function setup() {
  Services.prefs.clearUserPref(PASSWORDS_OLD_PREF);
  Services.prefs.clearUserPref(PASSWORDS_NEW_PREF);
  Services.prefs.clearUserPref("browser.startup.homepage_override.mstone");
-  });
+}
+
+function simulateUIMigration() {
+  gBrowserGlue.observe(
+    null,
+    TOPIC_BROWSERGLUE_TEST,
+    TOPICDATA_BROWSERGLUE_TEST
+  );
+}
+
+add_task(async function setup() {
+  registerCleanupFunction(clearPrefs);
 });

 add_task(async function test_pref_migration_old_pref_os_auth_disabled() {
  Services.prefs.setIntPref("browser.migration.version", UI_VERSION - 1);
  Services.prefs.setBoolPref(CC_OLD_PREF, false);
  Services.prefs.setBoolPref(PASSWORDS_OLD_PREF, false);
-  // Simulate a migration.
-  gBrowserGlue.observe(
-    null,
-    TOPIC_BROWSERGLUE_TEST,
-    TOPICDATA_BROWSERGLUE_TEST
-  );
+
+  simulateUIMigration();
+
  Assert.ok(
    !FormAutofillUtils.getOSAuthEnabled(CC_NEW_PREF),
    "OS Auth should be disabled for credit cards since it was disabled before migration."
@ -54,18 +61,16 @@ add_task(async function test_pref_migration_old_pref_os_auth_disabled() {
    !LoginHelper.getOSAuthEnabled(PASSWORDS_NEW_PREF),
    "OS Auth should be disabled for passwords since it was disabled before migration."
  );
+  clearPrefs();
 });

 add_task(async function test_pref_migration_old_pref_os_auth_enabled() {
  Services.prefs.setIntPref("browser.migration.version", UI_VERSION - 1);
  Services.prefs.setBoolPref(CC_OLD_PREF, true);
  Services.prefs.setBoolPref(PASSWORDS_OLD_PREF, true);
-  // Simulate a migration.
-  gBrowserGlue.observe(
-    null,
-    TOPIC_BROWSERGLUE_TEST,
-    TOPICDATA_BROWSERGLUE_TEST
-  );
+
+  simulateUIMigration();
+
  Assert.ok(
    FormAutofillUtils.getOSAuthEnabled(CC_NEW_PREF),
    "OS Auth should be enabled for credit cards since it was enabled before migration."
@ -74,6 +79,7 @@ add_task(async function test_pref_migration_old_pref_os_auth_enabled() {
    LoginHelper.getOSAuthEnabled(PASSWORDS_NEW_PREF),
    "OS Auth should be enabled for passwords since it was enabled before migration."
  );
+  clearPrefs();
 });

 add_task(
@ -81,19 +87,17 @@ add_task(
    Services.prefs.setIntPref("browser.migration.version", UI_VERSION - 1);
    Services.prefs.setCharPref(
      "browser.startup.homepage_override.mstone",
-      "127.0b6"
+      "127.0"
    );
    FormAutofillUtils.setOSAuthEnabled(CC_TYPO_PREF, false);
-    // Simulate a migration.
-    gBrowserGlue.observe(
-      null,
-      TOPIC_BROWSERGLUE_TEST,
-      TOPICDATA_BROWSERGLUE_TEST
-    );
+
+    simulateUIMigration();
+
    Assert.ok(
      !FormAutofillUtils.getOSAuthEnabled(CC_NEW_PREF),
      "OS Auth should be disabled for credit cards since it was disabled before migration."
    );
+    clearPrefs();
  }
 );

@ -102,18 +106,54 @@ add_task(
    Services.prefs.setIntPref("browser.migration.version", UI_VERSION - 1);
    Services.prefs.setCharPref(
      "browser.startup.homepage_override.mstone",
-      "127.0b6"
+      "127.0"
    );
    FormAutofillUtils.setOSAuthEnabled(CC_TYPO_PREF, true);
-    // Simulate a migration.
-    gBrowserGlue.observe(
-      null,
-      TOPIC_BROWSERGLUE_TEST,
-      TOPICDATA_BROWSERGLUE_TEST
-    );
+
+    simulateUIMigration();
+
    Assert.ok(
      FormAutofillUtils.getOSAuthEnabled(CC_NEW_PREF),
      "OS Auth should be enabled for credit cards since it was enabled before migration."
    );
+    clearPrefs();
+  }
+);
+
+add_task(
+  async function test_creditCards_pref_migration_real_pref_os_auth_disabled() {
+    Services.prefs.setIntPref("browser.migration.version", UI_VERSION - 1);
+    Services.prefs.setCharPref(
+      "browser.startup.homepage_override.mstone",
+      "127.0"
+    );
+    FormAutofillUtils.setOSAuthEnabled(CC_NEW_PREF, false);
+
+    simulateUIMigration();
+
+    Assert.ok(
+      !FormAutofillUtils.getOSAuthEnabled(CC_NEW_PREF),
+      "OS Auth should be disabled for credit cards since it was disabled before migration."
+    );
+    clearPrefs();
+  }
+);
+
+add_task(
+  async function test_creditCards_pref_migration_real_pref_os_auth_enabled() {
+    Services.prefs.setIntPref("browser.migration.version", UI_VERSION - 1);
+    Services.prefs.setCharPref(
+      "browser.startup.homepage_override.mstone",
+      "127.0"
+    );
+    FormAutofillUtils.setOSAuthEnabled(CC_NEW_PREF, true);
+
+    simulateUIMigration();
+
+    Assert.ok(
+      FormAutofillUtils.getOSAuthEnabled(CC_NEW_PREF),
+      "OS Auth should be enabled for credit cards since it was enabled before migration."
+    );
+    clearPrefs();
  }
 );
--- a/browser/components/tests/unit/xpcshell.toml
+++ b/browser/components/tests/unit/xpcshell.toml
@ -11,7 +11,7 @@ support-files = ["distribution.ini"]
 ["test_browserGlue_migration_no_errors.js"]

 ["test_browserGlue_migration_osauth.js"]
-run-if = ["!nightly_build"]
+skip-if = ["nightly_build", "os == 'linux'"]

 ["test_browserGlue_migration_places_xulstore.js"]

--- a/browser/extensions/formautofill/test/browser/creditCard/browser_anti_clickjacking.js
+++ b/browser/extensions/formautofill/test/browser/creditCard/browser_anti_clickjacking.js
@ -16,6 +16,26 @@ add_task(async function setup_storage() {
  );
 });

+async function disableOSAuthForThisTest() {
+  // Revert head.js change that mocks os auth
+  sinon.restore();
+
+  let oldValue = FormAutofillUtils.getOSAuthEnabled(
+    FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF
+  );
+  FormAutofillUtils.setOSAuthEnabled(
+    FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF,
+    false
+  );
+
+  registerCleanupFunction(() => {
+    FormAutofillUtils.setOSAuthEnabled(
+      FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF,
+      oldValue
+    );
+  });
+}
+
 add_task(async function test_active_delay() {
  // This is a workaround for the fact that we don't have a way
  // to know when the popup was opened exactly and this makes our test
@ -28,10 +48,9 @@ add_task(async function test_active_delay() {
  await SpecialPowers.pushPrefEnv({
    set: [["security.notification_enable_delay", 1000]],
  });
-  FormAutofillUtils.setOSAuthEnabled(
-    FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF,
-    false
-  );
+
+  await disableOSAuthForThisTest();
+
  await BrowserTestUtils.withNewTab(
    { gBrowser, url: CC_URL },
    async function (browser) {
@ -122,8 +141,4 @@ add_task(async function test_no_delay() {
      await closePopup(browser);
    }
  );
-  FormAutofillUtils.setOSAuthEnabled(
-    FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF,
-    true
-  );
 });
--- a/browser/extensions/formautofill/test/browser/creditCard/browser_creditCard_osAuth.js
+++ b/browser/extensions/formautofill/test/browser/creditCard/browser_creditCard_osAuth.js
@ -11,6 +11,9 @@ const SELECTORS = {
 requestLongerTimeout(2);

 add_setup(async function () {
+  // Revert head.js change that mocks os auth
+  sinon.restore();
+
  // Load in a few credit cards
  await SpecialPowers.pushPrefEnv({
    set: [["privacy.reduceTimerPrecision", false]],
@ -25,18 +28,22 @@ add_task(async function test_os_auth_enabled_with_checkbox() {
    async function (browser) {
      await finalPrefPaneLoaded;

-      await SpecialPowers.spawn(browser, [SELECTORS], async selectors => {
+      await SpecialPowers.spawn(
+        browser,
+        [SELECTORS, AppConstants.NIGHTLY_BUILD],
+        async (selectors, isNightly) => {
          is(
            content.document.querySelector(selectors.reauthCheckbox).checked,
-          true,
+            isNightly,
            "OSReauth for credit cards should be checked"
          );
-      });
+        }
+      );
      is(
        FormAutofillUtils.getOSAuthEnabled(
          FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF
        ),
-        true,
+        AppConstants.NIGHTLY_BUILD,
        "OSAuth should be enabled."
      );
    }
--- a/browser/extensions/formautofill/test/browser/head.js
+++ b/browser/extensions/formautofill/test/browser/head.js
@ -28,6 +28,23 @@ const { FormAutofillUtils } = ChromeUtils.importESModule(
  "resource://gre/modules/shared/FormAutofillUtils.sys.mjs"
 );

+let { sinon } = ChromeUtils.importESModule(
+  "resource://testing-common/Sinon.sys.mjs"
+);
+
+// Always pretend OS Auth is enabled in this dir.
+if (
+  gTestPath.includes("browser/creditCard") &&
+  OSKeyStoreTestUtils.canTestOSKeyStoreLogin() &&
+  OSKeyStore.canReauth()
+) {
+  info("Stubbing out getOSAuthEnabled so it always returns true");
+  sinon.stub(FormAutofillUtils, "getOSAuthEnabled").returns(true);
+  registerCleanupFunction(() => {
+    sinon.restore();
+  });
+}
+
 const MANAGE_ADDRESSES_DIALOG_URL =
  "chrome://formautofill/content/manageAddresses.xhtml";
 const MANAGE_CREDIT_CARDS_DIALOG_URL =
--- a/browser/extensions/formautofill/test/mochitest/formautofill_common.js
+++ b/browser/extensions/formautofill/test/mochitest/formautofill_common.js
@ -2,6 +2,10 @@
 /* import-globals-from ../../../../../testing/mochitest/tests/SimpleTest/EventUtils.js */
 /* import-globals-from ../../../../../toolkit/components/satchel/test/satchel_common.js */
 /* eslint-disable no-unused-vars */
+// Despite a use of `spawnChrome` and thus ChromeUtils, we can't use isInstance
+// here as it gets used in plain mochitests which don't have the ChromeOnly
+// APIs for it.
+/* eslint-disable mozilla/use-isInstance */

 "use strict";

@ -378,7 +382,21 @@ async function canTestOSKeyStoreLogin() {
 }

 async function waitForOSKeyStoreLogin(login = false) {
+  // Need to fetch this from the parent in order for it to be correct.
+  let isOSAuthEnabled = await SpecialPowers.spawnChrome([], () => {
+    // Need to re-import this because we're running in the parent.
+    // eslint-disable-next-line no-shadow
+    const { FormAutofillUtils } = ChromeUtils.importESModule(
+      "resource://gre/modules/shared/FormAutofillUtils.sys.mjs"
+    );
+
+    return FormAutofillUtils.getOSAuthEnabled(
+      FormAutofillUtils.AUTOFILL_CREDITCARDS_REAUTH_PREF
+    );
+  });
+  if (isOSAuthEnabled) {
    await invokeAsyncChromeTask("FormAutofillTest:OSKeyStoreLogin", { login });
+  }
 }

 function patchRecordCCNumber(record) {